Speaking at the Virus Bulletin 2019 conference in London, Yonathan Klijnsman, head of threat research at RiskIQ, said that many groups had been identified as being behind recent Magecart attacks, but new movements were being made towards more targeted attacks.
Klijnsman explained that traditional Magecart attacks groups would get into a company’s network, and they would typically target e-commerce organizations, with only “25 lines of javascript.” He said that the web skimmers worked on the server side, and in 2016 RiskIQ observed more groups starting to do this, “and there are 15 active groups that we tracked.”
Pointing to Group 6 that IBM’s X-Force published a report on, Klijnsman said that “once they are in your network they will know more than you do, they are the admins you want to hire.” The group later hit both NewEgg and British Airways, having access to the former for six months, but crucially not being present during Black Friday, as they had been detected and removed by then.
Another called Group 5 are “experts in support,” and Klijnsman said that they know of at least 20 suppliers that have been hit by this group. “They hit one supplier who had over 100,000 victim websites” and while it delivers malicious code, it will not have access to payment data.
A group that RiskIQ plans to reveal more details on in the coming months is Group 15, who Klijnsman said are “very specialized” as they have built a framework for skimming, and are able to remove a payment form and put their own in it's place.
This, he said, was part of the evolution of the groups, as they are doing more targeting and learning more about content management systems. In the case of the attack on Ticketmaster, this was enabled by a compromise of Sociaplus between December 2017 to June 2018.
This was part of one of the three main compromise capabilities: via outdated or misconfigured systems, via password reuse as groups are looking at breached user lists and supply chain attack.
“The latter is not something people are talking about and while you want analytics and CDNs and services, they make you vulnerable and make your customers and visitors vulnerable to attack.”